Advisory Details

July 26th, 2013

Adobe Flash Player Integer Overflow Remote Code Execution Vulnerability

ZDI-13-177
ZDI-CAN-1879

CVE ID CVE-2013-3347
CVSS SCORE 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P
AFFECTED VENDORS Adobe
AFFECTED PRODUCTS Flash Player
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Flash. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the PCM processing code. By providing a malformed audio sample through ActionScript3, an attacker can cause an integer overflow. Using this overflow, an attacker can execute arbitrary code in the context of the Flash player.

ADDITIONAL DETAILS Adobe has issued an update to correct this vulnerability. More details can be found at:
http://www.adobe.com/support/security/bulletins/apsb13-17.html
DISCLOSURE TIMELINE
  • 2013-05-14 - Vulnerability reported to vendor
  • 2013-07-26 - Coordinated public release of advisory
CREDIT vulnazoid
BACK TO ADVISORIES